Ever since Friday May 12, the WannaCry ransomware attack has kept spreading. As per European authorities, the ransomware has hit over 10,000 organizations and 200,000 individuals in over 150 countries. Although steps have been taken to control the spread of this malware, new variations are surfacing. Gartner has outlined steps that cybersecurity professionals need to take immediately.
First and foremost, users must apply Microsoft's MS17-010 patch. If users don't have it, and have their TCP port 445 open, it is likely that their system will be hit by ransomware.
In order to secure their organizations and protect against such future attacks, users then need to take the following steps
Stop blaming: One of the key stages of incident response consists of focusing on root causes. Microsoft Windows XP, an OS that has been hit hard by WannaCry, can be embedded into major systems as part of control packages. This signifies that vulnerable firmware may be neither accessible nor under user's control. Where users have embedded systems — such as point-of-sale terminals, medical imaging equipment, telecom systems, and even industrial output systems, such as smart card personalization and document production equipment — an user needs to ensure that their vendor can provide an upgrade path as a priority. They must also do this while using other embedded OSs, such as Linux or other Unix variants, as it's safe to assume that all complex software is vulnerable to malware.
Isolate vulnerable systems: There will be systems that, although not yet affected by malware, are still vulnerable. Vulnerable systems are often those on which users rely most. A useful temporary fix is to limit network connectivity — identify which services users can turn off, especially vulnerable services like network file sharing.
Stay vigilant. Gartner’s adaptive security architecture emphasizes the need for detection. Users need to ensure that their malware detection is updated and check that their intrusion detection systems are operating and examining traffic. Also, it has to be ensured that the user and entity behavior analytics (UEBA), network traffic analysis (NTA) and security information and event management (SIEM) systems are flagging unusual behavior, that such issues are being triaged, and that incident handlers are responsive. Additional resources may be needed to manage the volume of incidents, liaise with law enforcement agencies, and field questions from the public (and possibly the media). Further, technical staff needs to be kept focused on resolving key issues and let someone else answer external questions.
Organizations should review vulnerability management plans; re-examine approaches to not just protective measures but also key detection capabilities, such as UEBA, NTA and advanced SIEM; perform additional threat modeling; and consider carefully what risks are tolerable. It's also important to assess an user's cloud security.